On 19/09/2017 14:59, Gervase Markham via dev-security-policy wrote: > It might also be worth thinking about the value that DNSSEC adds, over > and above a non-secure CAA check, in various attack scenarios. At the > moment, I'm thinking that DNSSEC doesn't necessarily add much. Here are > 3 quick scenarios, for a domain which is CAA locked so only CA Bar can > issue: > > * Misguided employee tries to get CA Foo to issue for your domain - in > which case, non-DNSSEC-signed checking will do. > > * Attacker has some control of CA Foo but can't override CAA check - in > which case, non-DNSSEC-signed checking will do. > > * Attacker has control of CA Foo but can override CAA check - in which > case, it doesn't matter what your DNS says.
An important consideration is that CAA with DNSSEC gives domain owners the ability to more or less fully mitigate BGP hijacking attempts against unauthorized CAs. Right now, this requires domain owners to only permit issuance from CAs with sufficient mitigations against BGP hijacking on their end, or special agreements regarding the approval process, so this is probably not seeing wide use yet, but with the upcoming CAA Record Extensions for Account URI and ACME Method Binding (which is in WG last call), this option will (hopefully soon after) become available to the general public, so this would definitely be an area where DNSSEC improves things, for a change. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy